Articles Posted in Privacy

Published on:

CCPA California Consumer Privacy ActProtecting consumer data privacy in the age of artificial intelligence and increased digital commerce is a growing concern. In June 2018, the California Consumer Privacy Act (CCPA) introduced provisions to protect consumers and became the first U.S. law that can be viewed as a response to GDPR. Going into effect on January 1, 2020, legislation of this scope has far-reaching tendrils that may breed unintentional consequences.

Let’s explore some of the implications of this law in the context of a recent letter sent by Clark Kent to a large internet company.

++++++++++++++++++++++++++++++++

Mr. Clark Kent
1938 Comicbook Ln.
Metropolis, CA 90999

January 1, 2020

Chief Information Officer
Totally Not Evil Internet Corp.

Dear sir or madam,

I write this letter to exercise my rights under the California Consumer Privacy Act (CCPA). As you are no doubt aware, the CCPA became effective today. I would like to be honest with you. You’ve probably guessed why I’m writing this. I have read about the advances of your company’s facial recognition algorithms and machine learning research. I expect it was a shock when your software figured out what I look like without glasses.

Since your company meets all three of the thresholds outlined in the CCPA (even though your company only needs to meet one), I hope that you will take my letter seriously. Specifically, from my cursory research, your company (1) has annual gross revenue over $25 million; (2) annually buys, receives, sells or shares the personal information of 50,000 or more consumers, households or devices for commercial purposes; and (3) derives 50% or more of your annual revenue from selling consumer personal information.

Now that we have that out of the way, I want to voice my concerns. A surprisingly broad array of information is covered by the CCPA. For example, “personal information” is defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” (And, as a “consumer” under the CCPA is merely a natural person who is a resident of California—that means me.) I note that the definition of personal information specifically includes biometric information, as well as audio, electronic, visual, thermal, olfactory or other similar information. It sure seems that any photos, videos, audio recordings, etc., of Superman in your possession could reasonably be indirectly linked to myself and should therefore be considered my personal information. Because the CCPA covers information that could be reasonably indirectly linked to my entire household, I think you should also include such information or data pertaining to my dog, Krypto, in this request.

Please consider yourself lucky if you do not have any olfactory information obtained from Krypto, but, if you do, please include it in this request as well.

Before you object on the grounds that photos of Superman (and Krypto) are publicly available information (and therefore not covered by the CCPA), I should point out that the drafters of the CCPA saw fit to define the term “publicly available” very narrowly: “For these purposes, ‘publicly available’ means information that is lawfully made available from federal, state, or local government records.” So, for instance, it seems to me that when one of your users takes a selfie with Superman after being rescued from a burning building, collapsing bridge, or the like, and that user’s smartphone automatically uploads that photo to your cloud storage service, I think I have a colorable argument that such selfie contains personal information about me and your company must disclose to me if it subsequently uses that photo for business or commercial purposes, such as including it in a training set for your facial recognition software .

Perhaps you disagree. I can see where you might think the CCPA is unclear. But the real question is whether you want to spend the resources necessary to fight the lawsuit that I am able to bring against Totally Not Evil Internet Corp. in the event that you do not encrypt a photo like that and there is any unauthorized access and exfiltration, theft or disclosure of that photo. The nature of my secrets being as delicate as they are, I would be interested to see how a court views “reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.” How secure is your data security? Please remember that under the CCPA, I could seek recovery of actual damages. Considering the last time someone found out my secret identity it resulted in several city blocks being reduced to rubble, you might want to remember that actual damages in my case exist on a considerable scale.

Accordingly, I would like to request the following:

    • That, per Cal. Civ. Code section 1798.100, you reveal to me all categories of personal information that you have collected in relation to me or my household (please include Krypto, Superman, and, as things have been going very well lately, Lois Lane), as well as the specific pieces of information you have collected (yes, including olfactory information).
    • That, per Cal. Civ. Code section 1798.105, you delete all such information.
    • That, per Cal. Civ. Code section 1798.110, you disclose to me the categories of sources from which my personal information was collected and the categories of third parties with whom you share my personal information.
    • That, per Cal. Civ. Code section 1798.110, you disclose to me the business or commercial purposes for collecting or sharing my personal information.
    • That, per Cal. Civ. Code section 1798.115, you disclose whether or not you have sold or disclosed my personal information to third parties, and if so, the categories of my personal information that Totally Not Evil Internet Corp. has sold or disclosed to third parties.
    • And lastly, that, per Cal. Civ. Code section 1798.120, you cease selling my personal information to third parties.

As provided by Cal. Civ. Code section 1798.130, I shall await your complete response to the above requests within 45 days. And should you try to hide the full extent to which you have collected and used my personal information, I will remind you that, in addition to risking significant penalties that the California Attorney General can seek against you, I work with the best investigative reporter in the business.

Sincerely,

Clark J. Kent

(P.S. I expect you will shortly receive similar letters from my friends, Diana, Hal and Oliver.)

++++++++++++++++++++++++++++++++

As you can see from Mr. Kent’s letter, the CCPA is complex legislation that impacts many aspects of today’s consumer-facing commerce. Under the CCPA, consumers are entitled to seek broad categories of information from businesses—requiring businesses to let a requesting consumer know what personal information is collected from that consumer, the sources from which that information is collected and the business purposes for collecting or selling the information and third parties with which the information is shared. There is no question that this law is forcing businesses to change how they handle data. What businesses should ask themselves is whether they are implementing necessary changes fast enough to avoid the expensive fines, class action suits and injunctions that can result from non-compliance with the CCPA.

Published on:

facial recognitionNo one knows your face as well as your iPhone does. All the unique variances of your face that make it yours and yours alone, these are all data points that your iPhone uses to unlock your phone using a face in place of a thumbprint. This same data that the iPhone collects can be used by the underlying tech—facial recognition technology—in a vast array of applications, from border control to photo tagging to law enforcement. But is this data (the measurement of the space between the eyes, the texture of the skin, etc.) open data? Or do individuals have a right to protection of an image of their face?

Continue reading →

Published on:

directive on copyrightDo you like getting your news online, sharing videos or tweeting memes? A little piece of legislation known as The European Union Directive on Copyright in the Digital Single Market may signal the end of some of the internet’s simple pleasures. On September 13, the European Parliament approved new legislation that would overhaul the region’s approach to copyright law. As with the EU’s privacy regulations, the legislation could have an impact far beyond Europe, redrawing the lines of liability that exist between poster, publisher and platforms. Not surprisingly, technology companies and publishers like Google, Amazon, and Wikipedia strongly opposed the legislative changes.

Continue reading →

Published on:

privacy shieldThe European Parliament adopted a resolution earlier this month to suspend the EU-U.S. Privacy Shield agreement. The Privacy Shield is a protocol that provides for the exchange of personal data between the EU and the United States for commercial purposes. Adopted in 2016 after the European Court of Justice invalidated the Safe Harbor arrangement, the shield is intended to safeguard the “fundamental privacy rights” of European citizens with respect to data transfers between signatory countries.

Continue reading →

Published on:

livestreamEvery day, millions of people are being unwittingly recorded by others. Every person you see walking down the street likely has a means to record your image and transmit it to billions of people at a whim. But, would you have ever expected that your Lyft or Uber ride was being broadcast across the globe for others’ entertainment? For some passengers in St. Louis, this was their reality.

Continue reading →

Published on:

Google-duplex-300x200If you haven’t seen Sundar Pichai’s presentation on Google Duplex, watch it. The technology is fascinating.

Google is developing software that can assist users in completing specific tasks such as making reservations by telephone. The software uses anonymized phone conversations as the basis for its neural network and in conjunction with automated speech recognition and text-to-speech software can have independent phone conversations with other people. Incredibly, the software requires no human interaction—at least by the user requesting the service—to complete its task. The result is that you can task the software to setup a haircut appointment for you, or book a table at a restaurant where it is difficult to get reservations, with no further input needed. It can also work with different scheduling options if your preferred time is not available. And importantly, the conversations seem natural—it is very difficult to tell that one of the participants in the conversation is a computer.

Continue reading →

Published on:

iStock-518662466-social-media-secrets-300x264If there’s a golden rule for the online age we live in, it’s “Always assume anything you post online will be visible to all.” Just like the original Golden Rule, it’s a maxim ignored often enough to bear repeating and frequent illustration. With that in mind, let’s check in on recent developments regarding social media revealing details its users would rather conceal—bankruptcy edition.

Continue reading →

Published on:

Recent developments in deep learning artificial intelligence have enabled almost anyone to superimpose facial features—including an entirely different face—into a preexisting video with relatively minimal effort. Until very recently, editing facial features in a video has been incredibly difficult. Even movie studios with access to professional video editing tools have struggled with the task as recently as in 2017, when actor Henry Cavill—portraying everyone’s favorite son of Krypton—sported a mustache he was contractually unable to remove during reshoots, leading to a widely criticized post-production digital shave. Because of the inherent difficulty in convincingly manipulating video to appear realistic, the public has widely been trusting of video’s authenticity while viewing still photos more skeptically. With recent developments in artificial intelligence, this thinking must now change.

Continue reading →

Published on:

As we discussed recently, the Equifax data breach has inevitably brought a great deal of scrutiny and legal action against the credit reporting agency. Amidst the numerous brewing class actions and other reactions from government agencies and state AGs, it’s worth pointing out another front on which the company—and more importantly, individuals within the company—may face legal consequences.

Continue reading →

Published on:

equifax-logoSince September 7, 2017, Equifax, one of three credit rating agencies in the United States, has been dealing with the fallout from one of the largest (known) data breaches of personal information, putting 143 million Americans at risk from fraud and identity theft (roughly 44% of the U.S. population).

Continue reading →